Using App Wrapper and DMG Canvas for a more complex install?

Tim_Jones · April 22, 2020, 6:12pm

For an upcoming app suite, I have 4 apps, 3 PDF files, and a license file.

Since I manage the whole thing through App Wrapper, should the following work (@Sam Rowlands ?):

Create the DMG Canvas Layout
Wrap and Sign three of the four apps in JUST App Wrapper - do NOT package them
Add these three apps and the other files to that DMG Canvas layout along with a dummy position for the fourth app
The fourth app will then be set to sign and create a DMG using the DMG Canvas file above
Sign and Notarize the DMG as part of the fourth app’s App Wrapper run

I ask if it SHOULD work because I keep getting a signing failure from one (or all three) of the other apps on the DMG when the fourth is run.

Tim_Jones · April 22, 2020, 7:29pm

I Sorted it out - The DMG template was grabbing the pre-App Wrapper versions of two of the other 3 apps.

This works wonderfully.

Garth_Hjelte · April 22, 2020, 11:13pm

Just want to add that I use the same system, but I don’t run my DMG through App Wrapper, DMG Canvas seems to have it’s own signing thing, which is good enough for me. (Maybe not everyone though.)

And a good time to again sing praises for App Wrapper and Sam’s diligence.

Sam_Rowlands · April 23, 2020, 12:17am

Hi @Tim Jones - Sorry I wasn’t able to answer your question in time, and I am glad to hear that you’ve figured out the cause of the problem. Let me make a note of your procedure, as I might be able to find a way to make it easier to do.

Hey @Garth Hjelte thank you for your nice words

Tim_Jones · April 23, 2020, 2:39pm

The reason I combine the two is that App Wrapper then handles Notarization of the whole thing so that both the DMG and my apps are notarized.

Tim_Parnell · April 23, 2020, 3:17pm

I thought the way disk image notarization actually worked was that it notarized the apps within. I remember an issue where you couldn’t notarize a disk image with a license agreement because the disk image wouldn’t mount.

@Sam Rowlands could we get a refresher on this? I’d like to be sure I know how it works

Sam_Rowlands · April 24, 2020, 12:19am

Lol… I can’t say for sure. A lot of what I think I know is speculation based on little snippets here and there. Most of the internal stuff is undocumented and my attempts to get clarification on some things (from members within the team responsible) often don’t get answered.

It is my understanding that when an application is Notarized, a record is created on Apple’s servers (most likely using the UUID of the executables). Regardless of the compressed file format used. DMG & PKG have support for an embedded ticket. So does Xip, but Apple will only accept Xip files from Apple and this is not expected to change ever.

When you open the compressed file, the OS inspects the ticket and appends it to the machine’s local database. If the OS can’t find a ticket it checks online for one. In theory you don’t NEED to include a ticket with the archive, however given the totally unreliability of Apple’s services this year, I’d not recommend taking a chance.

I was thinking about this, recently I built an interrogation mechanism for DMG to find the main executable when adding a DMG files to App Wrapper’ Notarize window, that wasn’t auto added by App Wrapper. It’s possible I can adapt this mechanism to check the signatures on all the application bundles it finds, so then App Wrapper can alert you if the incorrect application is on the DMG.

As always, adding these kind of checks, will add more to do to the wrapping process and therefore will make wrapping take longer.